According to ESET researchers, enterprise network equipment, such as routers, that have been discarded but not properly destroyed, can reveal corporate secrets. The researchers purchased several used routers to set up a test environment and found that, in many cases, the previous configurations had not been wiped.
The data on these devices can be used by threat actors to breach networks and identify previous owners, which could lead to further attacks. The researchers stress the importance of adopting a procedure to correctly dismiss enterprise network equipment, like routers, due to the huge quantity of information they contain.
The ESET research team purchased 18 used routers to determine which kind of information was possible to find on the dismissed network equipment and how threat actors can use them in future attacks against the company that discarded them.
This type of enterprise network equipment is widely adopted by organizations worldwide and is commonly available at bargain basement prices in the secondary market. The researchers discovered that 56.25% of the devices contained trivially accessible and sensitive corporate information such as customer data, data allowing third-party connections to the network, and credentials for connecting to other networks as a trusted party.
The exposed corporate data and sensitive data include the maps of sensitive applications hosted locally or in the cloud. Attackers can use this information to launch attacks against enterprises using exploits for known vulnerabilities.
With this level of detail, impersonating network or internal hosts would be far simpler for an attacker, especially since the devices often contain VPN credentials or other easily cracked authentication tokens.
Only five devices were properly wiped by the organizations that dismissed them.
ESET attempted to notify the former owners of the routers they had purchased, and in some cases, they were responsive, while in others cases they were incredibly difficult or impossible to reach.
The study highlights the need for organizations to properly dispose of their enterprise network equipment, including routers, and to ensure that sensitive data is erased before it is discarded.
Failure to do so could result in a breach of the company’s security and the exposure of confidential data.
